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ABSTRACT: Single sign-on mechanisms allow users to sign on only once and have their identities automatically verified 
by each application or service they want to access afterwards. There are few practical and secure single sign-on models, 
even though it is of great importance to current distributed application environments. Most of current application 
architectures require the user to memorize and utilize a different set of credentials (eg, username/password or tokens) for 
each application he/she wants to access. However, this approach is inefficient and insecure with the exponential growth in 
the number of applications and .services a user has to access both inside corporative environments and at the Internet. Single 
sign-on (SSO) is a new authentication mechanism that enables a legal user with a single credential to be authenticated by- 
multiple service providers in distributed computer networks. Recently, Chang and Lee proposed a new SSO scheme and 
claimed its security by providing well-organized wearily arguments. In this paper, however, it is shown that their scheme is 
actually insecure as it fails to meet security during communication. Tins paper shows the Chang S:. Lee scheme and it aim:, 
to enhance security using AES encryption and decryption. Implementation is done using socket programming in Java. 
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I. INTRODUCTION 

Identification of user is an important access control mechanism for client-server networking architectures. The 
goal of a single sign on platform is to eliminate individual sign on procedures by centralizing user authentication and identity 
management at a central identity provider. In a single sign-on solution, the user should seamlessly authenticated to his 
multiple user accounts (across different systems) once he proves his identity to the identity provider. Nevertheless, in many 
current solutions, the user is required to repeat sign on for each service using the same set of credentials, which are validated 
at the identity provider by each service. 

User authentication [3], [4] plays a crucial role in distributed computer networks to verify the legacy of a user and 
then can be granted to access the services requested. To prevent bogus servers, users usually need to authenticate service 
providers. After mutual authentication, a session key may be negotiated to keep the confidentiality of data exchanged 
between a user and a provider [4], [5], [6]. In many scenarios, the anonymity of legal users should be protected as well [4], 
[7], [6]. These protocols offer varying degrees of efficiency. This paper aims to ensure more security to the existing Chang 
Lee SSO scheme. It also aims to add additional security during data transfer between user and provider. It also proposes 
further research into more efficient enhancements to the current work. The main objective of this paper is to enhance security 
for single sign-on solutions and eliminate the need for users to repeatedly prove their identities to different applications and 
hold different credentials for each application. 

II. RELATED WORKS 

In 2000, Lee and Chang [4] proposed a user identification and key distribution scheme to maintain user anonymity 
in distributed computer networks. Later, Wu and Hsu [8] pointed out that Lee-Chang scheme is insecure against both 
impersonation attack and identity disclosure attack. Meanwhile, Yang et al. [9] identified a weakness in Wu-Hsu scheme and 
proposed an improvement. In 2006, however, Mangipudi and Katti [10] pointed out that Yang et al.'s scheme suffers from 
DoS (Deniable of Service) attack and presented a new scheme. In 2009, Hsu and Chuang [11] showed that both Yang et al. 
and Mangipudi -Katti schemes were insecure under identity disclosure attack, and proposed an RSA-based user identification 
scheme to overcome the drawbacks. 

On the other hand, it is usually not practical by asking one user to maintain different pairs of identity and passwords 
for different service providers, since this could increase the workload of both users and service providers as well as the 
communication overhead of networks. To tackle this problem, single sign-on (SSO) mechanism [12] has been introduced so 
that after obtaining a credential from a trusted authority, each legal user can use this single credential to authenticate itself 
and then access multiple service providers. Intuitively, an SSO scheme should meet at least two basic security requirements, 
i.e., soundness and credential privacy. Soundness means that an unregistered user without a credential should not be able to 
access the services offered by service providers. Credential privacy guarantees that colluded dishonest service providers 
should not be able to fully recover a user's credential and then impersonate the user to log in other service providers. Formal 
security definitions of SSO schemes were given in [13]. Chang and Lee made a careful study of SSO mechanism. Firstly, 
they argued that Hsu-Chuang user identification scheme, actually an SSO scheme, has two weaknesses: (a) An outsider can 
forge a valid credential by mounting a credential forging attack since Hsu-Chang scheme employed naive RSA signature 
without any hash function to issue a credential for any random identity selected by a user ; and (b) Hsu-Chuang scheme 
requires clock synchronization since timestamp is used in their scheme. Then, Chang and Lee presented an interesting RSA 
based SSO scheme, which is highly efficient in computation and communication (So it is suitable for mobile devices), and 
does not rely on clock synchronization by using nonce instead of timestamp. Finally, they presented well-organized security 
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analysis to show that their SSO scheme supports secure mutual authentication, session key agreement, and user anonymity. 
In [13], Han et al. proposed a generic SSO construction which relies on broadcast encryption plus zero knowledge (ZK) 
proof showing that the prover knows the corresponding private key of a given public key. So, implicitly each user is assumed 
to have been issued a public key in a public key infrastructure (PKI). In the setting of RSA cryptosystem, such a ZK proof is 
very inefficient due to the complexity of interactive communications between the prover (a user) and the verifier (a service 
provider). Therefore, compared with Han et al.'s generic scheme, Chang-Lee scheme has several attracting features: less 
underlying primitives without using broadcast encryption, high efficiency without resort to ZK proof, and no requirement of 
PKI for users. 



Table I: Nota tions used in the algorithm 
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III. PROPOSED SCHEME 

The notations used in the algorithm are explained in Table I. The scheme consists of three phases: 

A. System Initialization Phase 
SCPC does the following 

1. selects large two primes p, q and computes p*q. 

2. determines the key pair (e,d) such that e *d = lmod <p(N), where (p(N)=(p - l)*(q - 1). 

3. chooses a generator g over the finite field Z*n, where n is a large odd prime number. 

4. SCPC protects the secrecy of d and publishes (e,g,n,N). 

B. Registration Phase 

1. Each user U. registers a unique identity ID. with a fixed bit length. 

2. Obtain a secret token S.=(ID.IIh(ID.))^ mod N, from the SCPC through a secure channel where h( ) is a cryptographic 
one-way hash function. 

C. User Identification Phase 

U. submits the request with a random nonce nl, ml to P. . On receiving ml, P. chooses a random number k and then 

generates a random nonce n2. P. calculates Z = g^ mod n, u = h(ZIIID. Ilnl), and the signature v = (ullh(u))^ mod N. .Next, 
P. sends the message m2 = {Z,v,n2} back to U.. After receiving m2 from P., U. computes u =h (ZIIID. Ilnl) and performs the 

next step. U. verifies the signature v by checking the equivalency of v 6 . mod N?=(ullh(u))mod N. . Otherwise, U. informs P. 
that someone has tampered with Z and aborts the protocol. Otherwise, U. chooses a random number t to be his short-term 

private key and computes w = g mod n. U. calculates the parameter k.. as k.. = Z mod n. U. generates a random nonce n3 
and calculates three parameters K.., x and y in accordance with the following equations: K. = h(ID. Ilk i. ), the session key, x 



^Kij 



(IDilln3lln2), where E(-) is a symmetric crypto system such as DES or AES. U. sends m3 



= {w,x,y} to P. After receiving m3, P. computes k„ as k^ = w mod n. P. can obtain the session key K„ by computing K„ 
=h(ID^ II k.j). Pj uses K^ to decrypt cipher text y and retrieves IDi, n3, and n2. If n2 is valid, Pj computes SIDi = 
(IDillh(IDi)). P. verifies the validity of the identity IDi by checking SID. ^ Hwlln2) ^ N? = x e moc j n. If the equation 
holds, P^ trusts that U. is a legal user. P. computes V = h(n3) and sends m4 = {V } to Ui. After receiving m4 from P^, U. 
computes V ||= h(n3) and confirms that V? = V '. When both the equations are same, U. trusts that P. is an authorized service 
provider and P. has really calculated the common session key K... 
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C. Encryption and Decryption Phase: Encryption and Decryption between user and provider is ensured using AES 
algorithm which is more secure than DES and there are currently no known non-brute-force attacks against AES. Data which 
is send from each provider to user is encrypted and send to the user, then the user decrypts it and the original data is 
retrieved. All these encryption and decryption are done using the more secure Advanced Encryption Algorithm (AES). The 
implementation is done using socket programming in Java and it uses server programs and client programs. To run in 
different machines, programming is based on IP address of the systems. Using the multithreading features of Java, all the 
providers can be run in parallel. The overall checking of authentication of user and provider are explained in fig.l. 




Re sister 3. Register 
5, user is authenticated 




fi. Provider is authenticated 
Figure 1 : Checking authentication of user and provider 



HL1. ADVANTAGES OF SSO 

Users need only one password for access to all applications and systems. 

Users can access the corporate network at the start of their workday. 

Users have immediately have access to all necessary password-protected applications. 

Users don't need to remember multiple passwords. 

Users don't have to write down their passwords. 

Users don't have to guess passwords, which potentially expose applications to unauthorized users. 

For example, Google Accounts allows a user to sign on to different services provided by Google using the same 
username/password pair. Another famous example is RSA SecurlD [14], which a two factor authentication solution based on 
a OTP token and classical username/password credentials, allowing a user to sign on to several SecurlD enabled services 
using the same token. However, a recent attack to EMC facilities exposed the overall fragility of this heuristic system. Even 
though their security was unaffected by current attacks, both solutions still require the user to repeatedly perform the sign on 
procedure. In most of current transparent single sign-on architectures, the user receives some kind of "authentication ticket" 
after he successfully signs on to the identity provider. When the user desires to sign on, he sends this ticket to the intended 
service provider or application, which then verifies it's validity by direct communication with the identity provider. This 
approach has several drawbacks, such as complex management and the requirement of secure online communication 
between applications and identity providers, which increases network traffic and processing loads. 

IV. METHODOLOGY 

In the existing system, different security schemes are proposed by many researchers. In the proposed system, 
various Client-Server programs are written to implement the project using socket programming in Java. This work uses the 
multithreading features of Java to run in parallel for different providers. Chang-Lee algorithm is used for user identification 
phase. But, it is using a less secure DES algorithm. This paper user a more secure AES algorithm to enhance the security 
features. So, this scheme is more secure than Chang-Lee scheme. 

V. CONCLUSION 

This paper proposes a secure single sign-on mechanism based on one-way hash functions and random nonces to 
solve the weaknesses described above and to decrease the overhead of the system. Encryption and Decryption of data sent 
between user and provider can improve security of communication. Encryption and Decryption process can be done using a 
more secure algorithm, ie, AES Encryption. AES is strong enough to be certified for use by the US govt, for top secret 
information. AES is federal information processing standard and there are currently no known non-brute-force attacks 
against AES. Thus AES is given priority than other standards when security is taken into consideration. By using this sso 
scheme, users need only one password for secure access to all applications and systems and would lock out the hackers 
entering into the system. But there are some vulnerability problems and there should be a good password, one that is very 
hard to crack. 

This paper proposes further research into more efficient enhancements for security of single sign on for distributed 
computer networks. For third-party sites, credential generation and synced, cloud-based storage can be provided. Auto login, 
Smart cards, Biometrics are other methods to enhance security for single sign on mechanism for distributed computer 
networks. 
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